This chapter is consistent with the State Technology
Law § 208, as added by Chapters 442 and 491 of the Laws
of 2005. This chapter requires notification to impacted New York residents
and nonresidents. New York State and the Village of Round Lake value
the protection of private information of individuals. The Village
of Round Lake ("Village") is required to notify an individual when
there has been or is reasonably believed to have been a compromise
of the individual's private information in compliance with the Information
Security Breach and Notification Act and this chapter.
The Village, after consulting with the Village's computer
consultant and the Office of Cyber Security and Critical Infrastructure
Coordination ("CSCIC") to determine the scope of the breach and restoration
measures, shall notify an individual when it has been determined that
there has been or is reasonably believed to have been a compromise
of private information through unauthorized disclosure.
If encrypted data is compromised along with the corresponding
encryption key, the data shall be considered unencrypted and thus
fall under the notification requirements.
Notification may be delayed if a law enforcement agency
determines that the notification impedes a criminal investigation.
In such case, notification will be delayed only as long as needed
to determine that notification no longer compromises any investigation.
Electronic notice, provided that the person to whom
notice is required has expressly consented to receiving said notice
in electronic form and a log of each such notification is kept by
the Village who notifies affected persons in such form;
Substitute notice if the Village demonstrates to the
State Attorney General that the cost of providing notice would exceed
$250,000, or that the affected class of subject persons to be notified
exceeds $500,000, or the Village does not have sufficient contact
information. Substitute notice shall consist of all of the following:
The Village shall notify the Attorney General and
the Consumer Protection Board, whenever notification to a New York
resident is necessary, as to the timing, content and distribution
of the notices and approximate number of affected persons.
Regardless of the method by which notice is provided,
such notice shall include contact information for the village making
the notification and a description of the categories of information
that were or are reasonably believed to have been acquired by a person
without valid authorization, including specification of which of the
elements of personal information and private information were or are
reasonably believed to have been so acquired.
When more than 5,000 New York residents are to be
notified at one time, then the Village shall notify the consumer reporting
agencies as to the timing, content and distribution of the notices
and the approximate number of affected individuals. This notice, however,
will be made without delaying notice to the individuals.